No remote access through VPN

jordanm · April 11, 2019, 8:32am

what is your local ip address on the vpn interface? if its on a different subnet then you LAN then nothing will be routable between them.

If this is the case your pi should also have a virtual interface with a vpn address which you may be able to use to access grafana. alternatively you can use iptables and NAT your vpn traffic to the correct subnet.

michellew · April 11, 2019, 8:41pm

Sorry for late reply. I was not allowed to post another reply for 22 hours.

@ jordanm Not sure what you mean with VPN interface?

But the Pi has a virtual interface with an ip address assigned from Zerotier. Local ip address on eth0 is 192.168.178.36. The ip address on the virtual interface is 10.147.17.36. And I have access to the machine through VPN, just not to grafana.

jordanm · April 12, 2019, 3:09am

so to access grafana over the vpn try using the ip of the virtual IF. 10.147.17.36:4000

if this doesn’t work use this command to NAT the address
sudo iptables -t nat -A PREROUTING -d 10.147.17.36 -p tcp --dport 4000 -j DNAT --to-destination 192.168.178.36

Then connect again to 10.147.17.36:4000 and the firewall will NAT the address to the eth0 interface and it should work

michellew · April 12, 2019, 8:14am

That’s what I did all the time with the results posted already.

I tried using your proposed command.
What happens now is the following:

using my mobile phone connected through Wifi to my local network with VPN on (assuming that even the local traffic routes through the VPN then, but could be wrong)
I can connect to the Grafana server using 10.147.17.36:4000 in Safari with success
tail -f /var/log/syslog shows traffic coming through
now I disable VPN and switch Wifi off
enable VPN again and try to connect to 10.147.17.36:4000 through mobile network 4G (ipv4)
syslog showing:
Apr 12 10:07:35 TakuMoe_Open_Pi grafana-server[636]: t=2019-04-12T10:07:35+0200 lvl=info msg=“Request Completed” logger=context userId=0 orgId=0 uname= method=GET path=/ status=302 remote_addr=10.147.17.35 time_ms=5 size=29 referer=
Apr 12 10:07:35 TakuMoe_Open_Pi grafana-server[636]: t=2019-04-12T10:07:35+0200 lvl=info msg=“Request Completed” logger=context userId=0 orgId=0 uname= method=GET path=/login status=302 remote_addr=10.147.17.35 time_ms=42 size=24 referer=
but no luck connecting to the grafana. All I see is “Error The request timed out: http://10.147.17.36:4000/” on my mobile browser

jordanm · April 15, 2019, 9:56am

Well it looks like the server is receiving and processing the request but it is not being sent to the vpn host. And its very strange that the VPN works while connected to the LAN, but not while accessing it from outside.

To confirm, both Grafana server and VPN server are running on the same host?
If NOT, do you have an SNAT rule in your VPN firewall, or an entry in the routing table of your grafana server, to route back to the VPN subnet?

Are you able to connect to any other devices through the VPN? Try testing the address with ping.

Do you have any other rules in your firewall? What is the output of:
iptables -L
iptables -t nat -L
?

It definitely seems more like a networking issue than a grafana issue.

michellew · April 15, 2019, 10:23am

Yes, Grafana server and VPN (server? I think it’s called client…confused) running on the same host.
I’m able to connect to any devices which are hosted on the same machine. There is another RasPi in the same LAN, which I cannot reach via VPN. But I think that is normal unless I set up bridge mode at the host running VPN.

Here are the firewall rules:

$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all – anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all – 10.8.0.0/24 anywhere
REJECT all – anywhere anywhere reject-with icmp-port-unreachable
ACCEPT all – anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all – anywhere anywhere

$ sudo iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp – anywhere 10.147.17.36 tcp dpt:4000 to:192.168.178.36

Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all – 10.8.0.0/24 anywhere
MASQUERADE all – anywhere anywhere

Yes I too think it has to do with networking rather that a grafana problem. But as said in my initial post, I’m a complete networking noob.

michellew · April 16, 2019, 8:38pm

Solved: running a portmapper now as a temporary solution.

Thanks everyone for your help.

xeomendrium · April 10, 2021, 10:15am

May i ask you more details? I have encountered the same problem.